Amazon agreed on Wednesday to pay a civil penalty of $25 million to settle federal charges that it kept sensitive information collected from children for years, including their precise locations and voice recordings, in violation of a children’s online privacy law.
It was the latest legal action in an intensifying regulatory effort to require some of the world’s largest tech platforms to better safeguard their younger users.
The case, brought by the Federal Trade Commission and the Justice Department, centers on Amazon’s handling of the personal details it collected from children who conversed with Alexa, the company’s voice-activated virtual assistant.
In a legal complaint filed in U.S. District Court for the Western District of Washington, regulators said the tech giant had kept young people’s Alexa voice recordings indefinitely and used the data for business purposes like training its algorithm to understand children, violating the federal Children’s Online Privacy Protection Act.
That law, known as COPPA, requires online services aimed at people younger than 13 to obtain parental consent before collecting a child’s personal details and to allow parents to have their children’s data deleted. But even after parents sought to delete their children’s voice recordings, Amazon failed to delete transcripts of the children’s conversations with Alexa from all its databases, regulators said.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated” the children’s online privacy law and “sacrificed privacy for profits,” Samuel Levine, director of the F.T.C.’s Bureau of Consumer Protection, said in a statement. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
The complaint also charged Amazon with deceiving consumers, including parents, by repeatedly assuring users they could delete data, like their Alexa voice recordings, yet failing to adequately honor users’ deletion requests.
Though it agreed to settle the charges, Amazon said it disagreed with the F.T.C.’s claims and denied violating the children’s law.
“We built Alexa with strong privacy protections and customer controls,” the company said in a statement. The statement added that the company had designed Amazon Kids, a service that enables parents to manage games, books and other content for their children, to comply with the children’s online privacy law, and that Amazon had worked with the F.T.C. before expanding the children’s content service to include Alexa.
Under the terms of the proposed settlement agreement, Amazon would be required to delete children’s voice recordings and precise location data as well as inactive Alexa accounts belonging to children. The proposed agreement also prohibits Amazon from misrepresenting how it handles users’ voice recordings, precise location data and children’s data.
A federal court must approve the settlement order.
The Amazon case comes at a moment of heightened public concern over how some prominent social networks, video game services and device makers treat their younger users. It highlights intensifying efforts by the Federal Trade Commission to force large tech platforms to bolster protections for sensitive information, like precise location or personal health details, whose disclosure could pose privacy or physical risks to adult consumers and children.
Last December, Epic Games, the maker of Fortnite, agreed to pay $520 million to settle accusations by the F.T.C. that it had illegally harvested data from players under 13 and, separately, steered millions of users to make unwanted payments. In 2019, Google agreed to pay a $170 million penalty to settle charges from the F.T.C. and the attorney general of New York that it had violated children’s privacy on YouTube.
The intensifying regulatory push to protect children online is not limited to the United States. Last September, Irish regulators announced they would levy a fine of about $400 million against Meta for its handling of children’s information on Instagram. Meta said it disagreed and planned to appeal.
In a separate case on Wednesday, the F.T.C. accused Ring, the home security camera service, of committing “egregious violations” of users’ privacy, saying that privacy and security failures at the company had enabled employees to illegally snoop on customers and allowed hackers to hijack users’ accounts.
Regulators said that Ring, which Amazon acquired in 2018, had “unreasonable” data security and privacy practices from at least 2016 through January 2020.
In 2017, for instance, one Ring employee viewed thousands of videos belonging to dozens of female customers, including in sensitive locations like the women’s bedrooms and bathrooms, the agency said in a legal complaint filed in U.S. District Court for the District of Columbia.
The proposed settlement order would require Amazon to pay $5.8 million in consumer refunds, institute stringent security measures and delete algorithms or other data products derived from the illegal viewing of consumers’ videos.
In a statement, Amazon said Ring had addressed the security and privacy issues before the F.T.C. had begun its inquiry.